wip: Add support for Ed25519 in PIV sample code

Author: DennisDyallo

Yubico.YubiKey/examples/PivSampleCode/Converters/KeyConverter.Pem.cs

@@ -81,6 +81,7 @@ public static PivPrivateKey GetPivPrivateKeyFromPem(char[] pemKeyString)
         // of the ECDsa object.
         public static AsymmetricAlgorithm GetDotNetFromPem(char[] pemKeyString, bool isPrivate)
         {
+            
             byte[] encodedKey = Array.Empty<byte>();
             var rsaParams = new RSAParameters();
             var eccParams = new ECParameters();

Yubico.YubiKey/examples/PivSampleCode/DotNetOperations/PublicKeyOperations.cs

@@ -14,6 +14,8 @@
 
 using System;
 using System.Security.Cryptography;
+using Org.BouncyCastle.Crypto.Parameters;
+using Org.BouncyCastle.Crypto.Signers;
 using Yubico.YubiKey.Piv;
 
 namespace Yubico.YubiKey.Sample.PivSampleCode
@@ -48,6 +50,24 @@ public static bool SampleVerifySignature(
                 throw new ArgumentNullException(nameof(publicKey));
             }
 
+            if (publicKey.Algorithm is PivAlgorithm.EccEd25519)
+            {
+                // Create Ed25519 public key parameters
+                var withoutPivHeader = publicKey.YubiKeyEncodedPublicKey.Span[2..];
+                var ed25519key = new Ed25519PublicKeyParameters(withoutPivHeader);
+
+                // Verify the signature
+                var verifier = new Ed25519Signer();
+                verifier.Init(false, ed25519key); // false indicates verification mode
+                verifier.BlockUpdate(dataToVerify, 0, dataToVerify.Length);
+
+                bool isValid = verifier.VerifySignature(signature);
+
+                Console.WriteLine($"Signature (Base64): {Convert.ToBase64String(signature)}");
+                isVerified = isValid;
+                return isVerified;
+            }
+
             using var asymObject = KeyConverter.GetDotNetFromPivPublicKey(publicKey);
 
             // The algorithm is either RSA or ECC, otherwise the KeyConverter

Yubico.YubiKey/examples/PivSampleCode/KeyCollector/SampleKeyCollector.cs

@@ -168,7 +168,7 @@ public static byte[] CollectValue(string defaultValueString, string name)
             SampleMenu.WriteMessage(MessageType.Title, 0, "Enter D for default value (" + defaultValueString + ")");
             char[] collectedValue = SampleMenu.ReadResponse(out int _);
 
-            if (collectedValue.Length == 1 && collectedValue[0] == 'D')
+            if (collectedValue.Length == 1 && (collectedValue[0] == 'D' || collectedValue[0] == 'd'))
             {
                 return defaultValueString switch
                 {

Yubico.YubiKey/examples/PivSampleCode/PivSampleCode.csproj

@@ -30,4 +30,8 @@ limitations under the License. -->
     <ProjectReference Include="..\SharedSampleCode\SharedSampleCode.csproj" />
   </ItemGroup>
 
+  <ItemGroup>
+    <PackageReference Include="BouncyCastle.Cryptography" Version="2.5.1" />
+  </ItemGroup>
+
 </Project>

Yubico.YubiKey/examples/PivSampleCode/Run/PivSampleRun.Operations.cs

@@ -16,6 +16,7 @@
 using System.Linq;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
+using Yubico.YubiKey.Cryptography;
 using Yubico.YubiKey.Piv;
 using Yubico.YubiKey.Sample.SharedCode;
 
@@ -248,19 +249,32 @@ public bool RunImportPrivateKey()
                 return RunInvalidEntry();
             }
 
-            if (!GetPemPrivateKey(algorithm, out string pemKey))
+            if (!GetPemPrivateKey(algorithm, out string pemPrivateKey))
+            {
+                return false;
+            }
+            
+            if (!GetPemPublicKey(algorithm, out string pemPublicKey))
             {
                 return false;
             }
 
-            var pivPrivateKey = KeyConverter.GetPivPrivateKeyFromPem(pemKey.ToCharArray());
-            var pivPublicKey = KeyConverter.GetPivPublicKeyFromPem(pemKey.ToCharArray());
+            // var pivPrivateKey = KeyConverter.GetPivPrivateKeyFromPem(pemKey.ToCharArray());
+            // var pivPublicKey = KeyConverter.GetPivPublicKeyFromPem(pemKey.ToCharArray());
+
+            var base64PrivateKey = GetBytesFromPem(pemPrivateKey);
+            var privateKeyParameters = Curve25519PrivateKeyParameters.CreateFromPkcs8(base64PrivateKey);
+            
+            var base64PublicKey = GetBytesFromPem(pemPublicKey);
+            var publicKeyParameters = Curve25519PublicKeyParameters.CreateFromPkcs8(base64PublicKey);
 
             if (KeyPairs.RunImportPrivateKey(
                 _yubiKeyChosen,
                 _keyCollector.SampleKeyCollectorDelegate,
-                pivPrivateKey,
-                pivPublicKey,
+                privateKeyParameters,
+                publicKeyParameters,
+                // pivPrivateKey,
+                // pivPublicKey,
                 slotNumber,
                 pinPolicy,
                 touchPolicy,
@@ -273,7 +287,7 @@ public bool RunImportPrivateKey()
 
             return false;
         }
-
+        
         public static bool WriteImportCertMessage()
         {
             SampleMenu.WriteMessage(MessageType.Title, 0, "See the items/code for BuildSelfSignedCert and BuildCert");
@@ -303,10 +317,19 @@ public bool RunSignData()
             // This sample code will use SHA-384 for EccP384, and SHA-256
             // for all other algorithms.
             var hashAlgorithm = HashAlgorithmName.SHA384;
-            if (signSlotContents.Algorithm != PivAlgorithm.EccP384)
+            
+            if (signSlotContents.Algorithm == PivAlgorithm.EccEd25519)
             {
-                hashAlgorithm = HashAlgorithmName.SHA256;
+                hashAlgorithm = HashAlgorithmName.SHA512;
             }
+            else
+            {
+                if (signSlotContents.Algorithm != PivAlgorithm.EccP384)
+                {
+                    hashAlgorithm = HashAlgorithmName.SHA256;
+                }
+            }
+
 
             byte[] dataToSign = GetArbitraryDataToSign();
 
@@ -922,18 +945,90 @@ private static bool GetPemPrivateKey(PivAlgorithm algorithm, out string pemKey)
                         "3tD+iq9lgB+8QNDJP6C6KginR3H1jMNRPMvaNrQC/VBpse+1Z1t5pvo=\n" +
                         "-----END PRIVATE KEY-----";
                     break;
+                
+                
+                case PivAlgorithm.EccEd25519:
+                    pemKey = "-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VwBCIEIDuLFRxirWSFqyiMTPB65M4sWI+smRcCdyMEL8RtN7ib\n-----END PRIVATE KEY-----";
+                    break;
+                
+                case PivAlgorithm.EccX25519:
+                    pemKey =
+                        "-----BEGIN PRIVATE KEY-----\n" +
+                        "MC4CAQAwBQYDK2VuBCIEIGCCufpem+pMrhHcQwUvrUxh0KQ9zrNjuAVxM/E4d5hN\n" +
+                        "-----END PRIVATE KEY-----";
+                    break;
             }
 
             return true;
         }
 
+        private static bool GetPemPublicKey(
+            PivAlgorithm algorithm,
+            out string pemKey)
+        {
+            pemKey = null;
+
+            switch (algorithm)
+            {
+                default:
+                    return false;
+
+                case PivAlgorithm.Rsa1024:
+                case PivAlgorithm.Rsa2048:
+                case PivAlgorithm.EccP256:
+                case PivAlgorithm.EccP384:
+                    break;
+
+                case PivAlgorithm.EccEd25519:
+                    pemKey ="-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAvvmMviNf0LdUmfr5dVNZQaC79t3Ga7xTaD62d+icCtE=\n-----END PUBLIC KEY-----";
+                    break;
+                
+                case PivAlgorithm.EccX25519:
+                    pemKey =
+                        "-----BEGIN PUBLIC KEY-----\n" +
+                        "MCowBQYDK2VuAyEAyZ3Gl2lM1X9SVyAFjGi5skd28d9mQtJW1uf/zlrIhCU=\n" +
+                        "-----END PUBLIC KEY-----\n";
+                    break;
+            }
+
+            return true;
+        }
         private static byte[] GetArbitraryDataToSign()
         {
             string arbitraryData = "To demonstrate how to sign data we need data to sign. " +
                 "For this sample code, it doesn't really matter what the data is, " +
                 "so just return some arbitrary data.";
+            
+            arbitraryData = "Hello, Ed25519!";
+
 
             return System.Text.Encoding.ASCII.GetBytes(arbitraryData);
         }
+        
+        private static byte[] GetBytesFromPem(
+            string pemData)
+        {
+            var base64 = StripPemHeaderFooter(pemData);
+            return Convert.FromBase64String(base64);
+        }
+        
+        private static string StripPemHeaderFooter(
+            string pemData)
+        {
+            var base64 = pemData
+                .Replace("-----BEGIN PUBLIC KEY-----", "")
+                .Replace("-----END PUBLIC KEY-----", "")
+                .Replace("-----BEGIN PRIVATE KEY-----", "")
+                .Replace("-----END PRIVATE KEY-----", "")
+                .Replace("-----BEGIN EC PRIVATE KEY-----", "")
+                .Replace("-----END EC PRIVATE KEY-----", "")
+                .Replace("-----BEGIN CERTIFICATE-----", "")
+                .Replace("-----END CERTIFICATE-----", "")
+                .Replace("-----BEGIN CERTIFICATE REQUEST-----", "")
+                .Replace("-----END CERTIFICATE REQUEST-----", "")
+                .Replace("\n", "")
+                .Trim();
+            return base64;
+        }
     }
 }

Yubico.YubiKey/examples/PivSampleCode/SlotContents/SamplePivSlotContents.cs

@@ -14,7 +14,6 @@
 
 using System;
 using System.Security.Cryptography.X509Certificates;
-using Yubico.YubiKey.Cryptography;
 using Yubico.YubiKey.Piv;
 using Yubico.YubiKey.Sample.SharedCode;
 
@@ -33,8 +32,6 @@ public class SamplePivSlotContents
 
         public PivPublicKey PublicKey { get; set; }
 
-        //public IPublicKeyParameters PublicKeyParameters { get; set; }
-
         public CertificateRequest CertRequest { get; set; }
 
         private byte[] _certRequestDer;
@@ -50,8 +47,12 @@ public void PrintPublicKeyPem()
         {
             char[] pubKeyPem;
 
-            if (PublicKey.Algorithm.GetKeyType() == KeyType.X25519 || PublicKey.Algorithm.GetKeyType() == KeyType.Ed25519) {
-                var publicKeyParameters = KeyParametersPivHelper.CreatePublicKeyParameters(PublicKey.PivEncodedPublicKey, PublicKey.Algorithm.GetKeyType());
+            if (PublicKey.Algorithm is PivAlgorithm.EccX25519 or PivAlgorithm.EccEd25519) 
+            {
+                var publicKeyParameters = KeyParametersPivHelper.CreatePublicKeyParameters(
+                    PublicKey.PivEncodedPublicKey, 
+                    PublicKey.Algorithm.GetKeyType());
+                
                 pubKeyPem = PemOperations.BuildPem("PUBLIC KEY", publicKeyParameters.ExportSubjectPublicKeyInfo());
             } else {
                 pubKeyPem = KeyConverter.GetPemFromPivPublicKey(PublicKey);

Yubico.YubiKey/examples/PivSampleCode/YubiKeyOperations/KeyPairs.cs

@@ -14,6 +14,7 @@
 
 using System;
 using System.Security.Cryptography.X509Certificates;
+using Yubico.YubiKey.Cryptography;
 using Yubico.YubiKey.Piv;
 
 namespace Yubico.YubiKey.Sample.PivSampleCode
@@ -54,8 +55,10 @@ public static bool RunGenerateKeyPair(
         public static bool RunImportPrivateKey(
             IYubiKeyDevice yubiKey,
             Func<KeyEntryData, bool> KeyCollectorDelegate,
-            PivPrivateKey privateKey,
-            PivPublicKey publicKey,
+            // PivPrivateKey privateKey,
+            // PivPublicKey publicKey,
+            IPrivateKeyParameters privateKey,
+            IPublicKeyParameters publicKey,
             byte slotNumber,
             PivPinPolicy pinPolicy,
             PivTouchPolicy touchPolicy,
@@ -82,13 +85,13 @@ public static bool RunImportPrivateKey(
                 // The Import method does not need the public key, so we're
                 // building it with no public key. If you want, you can add the
                 // public key.
-                slotContents = new SamplePivSlotContents()
+                slotContents = new SamplePivSlotContents
                 {
                     SlotNumber = slotNumber,
-                    Algorithm = privateKey.Algorithm,
+                    Algorithm = privateKey.KeyType.GetPivAlgorithm(),
                     PinPolicy = pinPolicy,
                     TouchPolicy = touchPolicy,
-                    PublicKey = PivPublicKey.Create(publicKey.YubiKeyEncodedPublicKey),
+                    PublicKey = PivPublicKey.Create(publicKey.ToPivEncodedPublicKey(), publicKey.KeyType.GetPivAlgorithm()),
                 };
             }
 

Yubico.YubiKey/examples/PivSampleCode/YubiKeyOperations/PrivateKeyOperations.cs

@@ -42,9 +42,19 @@ public static bool RunSignData(
             int keySizeBits = keyAlgorithm.KeySizeBits();
 
             // Before signing the data, we need to digest it.
-            byte[] digest = MessageDigestOperations.ComputeMessageDigest(dataToSign, hashAlgorithm);
+            byte[] digest = dataToSign;
+            if (keyAlgorithm == PivAlgorithm.EccEd25519)
+            {
+                using (var pivSession = new PivSession(yubiKey))
+                {
+                    pivSession.KeyCollector = KeyCollectorDelegate;
+                    signature = pivSession.Sign(slotNumber, digest);
+                }
+
+                return true;
+            }
 
-            if (keyAlgorithm.IsEcc())
+            if (keyAlgorithm.IsEcc() && keyAlgorithm!= PivAlgorithm.EccEd25519)
             {
                 // If the key is ECC, the digested data must be exactly the key
                 // size. For example, if the key is EccP384, then the digest